I received some emails lately asking me some advice on how to prove a SIEM Tool ROI to higher management (justify acquisition, prove that the solution helps, etc).
If you focus only in the technical aspects, I admit thatlife becomes more difficult (world crisis, lack of technical knowledge from higher management, etc) and gets hard to prove the ROI.
When I work with SIEM projects one of my major rules is to understand my customer business and not only the network/system security aspects.
- What they do?
- How they do?
- What facts can impact their revenue?
- What systems/devices are running their main applications?
- Are there any frauds they're aware of?
With this information you can work together with your customer (internal/external) defining correlation rules that will not only help to secure the company network and systems but also will create a tremendous value for the business.
With this king of rule in place you know can on a more easy way collect the info that will prove the ROI of your solution.
Some questions you can ask in order to gather information:
- How many security/network/system events were identified by your SIEM solution?
- What will be the losses if your system hasn't identified them earlier?
- How much the system availability was improved since the SIEM solution was deployed?
- How many business/fraud events were detected by the tool?
- How much they will cost?
Then, you can finally add the network/system security side to you analysis showing how many attacks the SIEM tool prevented (downtime=losses and losses=less money), how many reports you'll got able to generate easily (time=money, more time=more money) and how the different teams (operations, network, security, audit, financial) are taking advantage of the solution (less work=more life quality=more satisfaction=more production=more money).
And don't remember to answer the primary question (which is the main target of this post)
How much the SIEM tool saved?